The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

DammitIForgotMyLogin:The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Except for these people, who apparently noticed it ...

Well you know technically this happens every day on billions or trillions of connections, because that's how BGP works. Dunno if it's really a "security" hole in that if a cable is cut somewhere there in the middle the path taken MAY one day be the best path. The only problem would be if you aren't encrypting traffic that should be encrypted using proper encryption levels.

The data you send out over networks you don't control should ALWAYS be encrypted in a way you want it to be. And yes, "none" is perfectly acceptable for a lot of that traffic.

haemaker:The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?

aelat:Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that every security model in the world was based on trust.houIf anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?

It's a matter of propagation, improper implementation of the trust mechanism, and a fundamental flaw in the trust mechanism.

BGP ports can be open - ie, automatic trust. This is useful for purely internal networks, since it cuts down on overhead.

Out in the wild, wild, Internet, good ISPs and backbone providers should configure their exterior routers to only trust routers from other good people.

But if there's a weak spot in the trust chain, or someone goofs when installing a new machine (or more likely, doing an upgrade), then you can inject bad routing information into one router and it will propagate willy-nilly through the whole Internet.

Someone who's smarter than me has to figure out a way to efficiently propagate routing info, across a global network with multiple operators, with an enormous number of addresses, while simultaneously sanitizing or double-checking those routing table entries.

aelat:Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?

The attack is called an IP hijack and, on its face, isn't new. But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed....Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs. Ordinarily, this shouldn't work - the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients."Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"

Makes sense that if you think the worst case scenario is a temporary service outage, you're not going to worry much.On the other hand, even without eavesdropping and forwarding, somebody could just hijack Facebook's IP addresses and put up a fake login page that throws an error on submit. It'll take a while before the right people get notified that it's going on, and you'll have phished a lot of passwords during that time.

aelat:Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?

Yes, generally BGP peering relationships with ISPs are authenticated, but that's not the problem.

Say you are the head network guy for the Way Cool Corporation. Your corporation owns network address 10.1.0.0/16 (so all the IPs from 10.1.0.1 to 10.1.255.254) (yes, I know that's a private address, it's just an example), and you advertise a route for 10.1.0.0/16 out to the Internet via your ISP. All well and good.

Now let's say I'm the Nefarious Network Hacker in Iceland or whatever. I have my own ISP connection (which is properly authenticated). I start advertising 10.1.0.0/24 (10.1.0.1 to 10.1.0.254), 10.1.1.0/24, and so on. Because those are more specific routes, they will take priority, and I'll get all that tasty traffic. Authentication doesn't enter into it.

Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

cheer:Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs? This article's making it sound like these things affect everybody. I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.

serial_crusher:cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs? This article's making it sound like these things affect everybody. I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.

Or, is it some kind of thing where the legit ISPs mistakenly trust the shady one? i.e. the traffic normally looks likeme: "Hello, Comcast. I'm the legitimate owner of 10.0.0.1 and here's proof."Comcast: "Hello, Verizon. One of my users is the legitimate owner of 10.0.0.1"Verizon: "Thanks, old buddy"orme: "Hello, Shady ISP. I'm the legitimate owner of 123.4.5.6. No proof needed wink wink nudge nudge"Shady ISP: "Hello, Verizon. One of my users is the legitimate owner of 123.4.5.6"Verizon: "Thanks, old buddy"

If that's the case, they should rewrite the protocol to pass the proof at every step and verify it.me: "Hello, Comcast. I own 127.0.0.1 and here's proof."Comcast: "Hello, Verizon. serial_crusher said the following: 'I own 127.0.0.1 and here's proof'"Verizon: "Yup, proof checks out. Thanks old buddy."

serial_crusher:cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs? This article's making it sound like these things affect everybody. I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.

No, because the next "tier" of ISP has no way of gating all the routes coming from all of their customers' customers. So it accepts the routes and passes them on until they're everywhere.

If that's the case, they should rewrite the protocol to pass the proof at every step and verify it.me: "Hello, Comcast. I own 127.0.0.1 and here's proof."Comcast: "Hello, Verizon. serial_crusher said the following: 'I own 127.0.0.1 and here's proof'"Verizon: "Yup, proof checks out. Thanks old buddy."

Thing is, that means that every route advertisement would have to somehow embed this proof. And while I think that someday we really will have to get to this point, it would be a massive undertaking. Plus, the proof itself would have to be sorted out. I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement. Since advertisements can have thousands and thousands of prefixes, the size of these advertisements would become enormous.

So you'd need to work out a bandwidth-lite way to do this. It's got to happen, but it will take a long time.

cheer:I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement.

yeah, if you check the renesys site, you can see they're recommending a PKI-based solution for BGP. It'd still leave you with every problem we currently have with PKI (plus the overhead you mentioned) but it's better than what we have now

asdfbeau:cheer: I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement.

yeah, if you check the renesys site, you can see they're recommending a PKI-based solution for BGP. It'd still leave you with every problem we currently have with PKI (plus the overhead you mentioned) but it's better than what we have now

Yeah, I don't fully grok the issues with PKI (security isn't my main thing), but I agree it'd be better.

serial_crusher:cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs? This article's making it sound like these things affect everybody. I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.

NSA: "Dear Comcast, please make sure that all inbound traffic to your network, including, just incidentally and by sheer coincidence, all US-originated inbound traffic, gets re-routed through at least one non-US country. No, you can't talk about it, no, you don't need to know why, and no, we might not even care which nodes you choose, but if you do, here are a few that should be fast enough for your needs..."

/seriously, the more you try to secure something, the simpler it seems to actually get to it//ball-point pen in the bike lock-style///can't wait until we go back to paper for "security" reasons. . . lulz

omnibus_necanda_sunt:Why the fark was anything designed to be based on trust? I thought the internet was designed so that the US government could maintain communications after a nuclear war.

Which has nothing whatsoever to do with the topic at hand. The Internet is designed to be redundant, and it absolutely is. You can take out multiple links and traffic will re-route quite nicely.

It was designed to be based on trust because it wasn't built in the last five years. Version 4 of BGP (the current one) has been in use on the Internet for almost 20 years. Adding a PKI layer to routing would be a CPU/memory/bandwidth issue NOW, let alone in 1994.

aelat:Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?

I manage around 6 BGP links to different ISP's. Only one of those ISPs by default uses MD5 authentication on the BGP neighbor configuration. Besides that only protects the routers from a bgp neighbor attack. I could still tell the BGP router I'm attached to at ISP A that I announce this subnet. Will some ISPs do you prefix list filters and Routing Databases not all of them do and the trust relationships for that are pretty flimsy.